pfctl -e and pfctl -d kills all connections
Max Laier
max at love2party.net
Wed Sep 19 11:41:23 PDT 2007
On Wednesday 19 September 2007, Abdullah Ibn Hamad Al-Marri wrote:
> Hello Guys,
>
> Here are my full rules.
>
> When I pfctl -e or pfctl -d all connections will die.
... "rules with synproxy state"
> Do you know the cause?
see above. Using "synproxy state" causes pf to complete the 3WHS before
contacting the other endpoint, hence it has to translate all future
sequence numbers for this connection. If you disable pf, the translation
goes away and the connection dies. The same thing happens if you
use "modulate state".
For the "pfctl -e" case: The pf in CURRENT uses "keep state flags S/SA"
by default for any tcp pass rule. That means that it will only match on
the initial SYN that starts the connection. The rest of the connection
is then passed based on the state entry. Consequently any pre-existing
connection will not have a state entry and be blocked.
--
/"\ Best regards, | mlaier at freebsd.org
\ / Max Laier | ICQ #67774661
X http://pf4freebsd.love2party.net/ | mlaier at EFnet
/ \ ASCII Ribbon Campaign | Against HTML Mail and News
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part.
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20070919/17ba19bc/attachment.pgp
More information about the freebsd-pf
mailing list